/wp-admin/admin.php still accessible? Still getting warnings about Brute Force

  • Resolved angelalgibson

    (@angelalgibson)


    9 years, 2 months ago

    Hi there,

    Firstly, thank you for this great plugin!

    I installed and set my custom login URL and all was working fantastic for a few weeks. Now I’m starting to get emails that bots/hackers are once again trying to Brute Force attack my site.

    However, instead of accessing /wp-login.php, they are now going directly to https://mywebsite.com/wp-admin/admin.php.

    When I put in the URL https://mywebsite.com/wp-login.php or https://mywebsite.com/wp-admin/admin.php they are no longer accessible and throw a 404 Not Found error.

    Yet I’m getting emails that users are locked out for too many incorrect attempted logins or attempting to login in with an invalid username such as ‘admin.’ Some have even figured out what the actual Username is and I’m not sure how that happened because it’s unusual.

    I’m using Wordfence and the email warnings have been triggered through that plugin. I’ve also logged in and watched live traffic on the site as reported by Wordfence and the attacks continue to happen.

    Any help would be appreciated!

    Thank you!

    ~ Angela

    https://www.ads-software.com/plugins/wps-hide-login/

Viewing 6 replies - 1 through 6 (of 6 total)

  • Same here. I thought moving the login page would stop the bots from accessing the login page. how do they still have access?

    Really wish wordpress would make a core feature or two to enhance security.

    Thread Starter angelalgibson

    (@angelalgibson)

    Really wish wordpress would make a core feature or two to enhance security.

    Exactly, RK… I have no idea why this is not standard core security features in WordPress.

    Hello,

    I’m not sure how Wordfence handles all this, but if the wp-login.php and wp-admin/ are throwing 404 error when you’re trying to access them, the plugin is working as it should.

    The bots can figure out your username by other means, for example on your posts author page, if there is a link to it somewhere on your website, the username is in the code.

    There is a plugin to prevent this by the way : https://www.ads-software.com/plugins/user-name-security/

    Thread Starter angelalgibson

    (@angelalgibson)

    Hi,

    I don’t post author name on any posts. All hidden as far as I know.

    The login URL is not visible or accessible anywhere as far as I know.

    There is no link to login URL or any usernames.

    The custom URL was provided via an email to two company team members only.

    I am still getting notifications of brute force attacks, failed login attempts, and failed password reset attempts via Wordfence.

    Please help!

    ~ Angela

    Please provide me a link to your website and I’ll have a look

    Hi Remy,
    Great plug…thank you!

    You say:

    I’m not sure how Wordfence handles all this, but if the wp-login.php and wp-admin/ are throwing 404 error when you’re trying to access them, the plugin is working as it should.

    Showing a 404 essentially gives a sneak peek of the site and its navigation structure which is usually present on the 404 page.
    This defeats the purpose of your plug as people can see behind the curtain…[even if clicking on the nav links go to your login page it still allows users to see a section of the site.]

    Like the posters above, and many others, I use a custom wp login url

    Is there any way to stop users seeing the 404 page when they try to access wp-admin and standard wp-login?

    i.e. every url goes to your login page forcing every user to enter your password to get to the wp login page.

    many thanks

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘/wp-admin/admin.php still accessible? Still getting warnings about Brute Force’ is closed to new replies.